Under The Knife: My Health Record And Your Rights To Privacy

As readers will be aware, the My Health Record system is the Australian Government’s digital health record system. It holds ‘My Health Records’, these are an online summary of an individual’s health information.


A My Health Record contains details such as what medicines a person may be taking, hospital discharge summaries, reports from tests and scans, what treatments they have received, allergy information and referral letters.

The system has been plagued by privacy and cyber-security concerns, which contributed to the Government extending the opt-out period.  Statistics from the Australian Digital Health Agency (ADHA) presented to the Senate Estimates Committee revealed that 1 in 10 Australians (approximately 2.5 million people) have elected to opt-out of the scheme.  An additional 300,000 have also cancelled their Record since the opt-out period expired.  This acts as a timely reminder that Australians are increasingly taking proactive steps to protect their personal data. 

In this article, we will explore some of the legal and privacy issues associated with the system in more detail.

Can a Court or Tribunal access the information in My Health Record?

The ADHA is the ‘System Operator’ of the My Health Record system.  

A Court or Tribunal can only direct the ADHA to disclose the information in a person’s My Health Record to a Court or Tribunal in limited circumstances.

One circumstance is where the proceedings relate to: 

  • the My Health Records Act 2012 (Cth) (the Act); 
  • unauthorised access to information through the My Health Record system; or
  • the provision of indemnity cover to a healthcare provider.

A second circumstance is where a coroner orders or directs the ADHA to disclose the information. 

What this makes clear is that, unless you fall within one of the above mentioned categories, you cannot rely on issuing a subpoena to the ADHA if you need to obtain the information contained within another person’s My Health Record.  You will need to seek the information from the primary source. As such, the ADHA is more accurately described as the aggregator of the health data. 

Alternatively, you can consent to the ADHA disclosing your My Health Record to a Court or Tribunal. 

Can an insurer demand access to My Health Record?

It is an offence under section 70A of the Act for an insurer to request, require or use information in your My Health Record to:

  • underwrite your insurance contract;
  • determine whether to enter into an insurance contract that covers you. This can either be alone or as a member of a class; or
  • determine whether an insurance contract covers you in relation to a particular event. 

Your medical practitioner also cannot use the information in your My Health Record for the above purposes, even if you have consented. 

However, insurance that does not extend beyond the limit of the State concerned (generally Workers Compensation insurance) is excluded from the above provisions.

Can my employer demand access to My Health Record?

Like the situation concerning an insurer discussed above, the Act also makes it an offence for your employer to use or request information in your My Health record to either employ, continue to employ or cease to employ you. 

Lavan comment

Lavan’s Cyber and Data Protection team can assist you and your organisation with navigating your rights and obligations in relation to the My Health System, as well as privacy and cybersecurity more broadly.  Should you have any questions in relation to any of the topics raised in this article, please do not hesitate to contact Iain Freeman, Lorraine Madden or Andrew Sutton.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.